cvelistv5 - cve-2024-52009

cve-2024-52009

Vulnerability from cvelistv5

Published

2024-11-08 22:24

Modified

2024-11-12 19:19

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Summary

Git credentials are exposed in atlantis logs

References

▼	URL	Tags
	security-advisories@github.com	https://argo-cd.readthedocs.io/en/stable/operator-manual/security
	security-advisories@github.com	https://github.com/runatlantis/atlantis/issues/4060
	security-advisories@github.com	https://github.com/runatlantis/atlantis/pull/4667
	security-advisories@github.com	https://github.com/runatlantis/atlantis/releases/tag/v0.30.0
	security-advisories@github.com	https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp

Impacted products

▼	Vendor	Product
	runatlantis	atlantis

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52009",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T19:19:05.416739Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T19:19:58.293Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "atlantis",
          "vendor": "runatlantis",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.30.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-08T22:24:15.300Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
        },
        {
          "name": "https://github.com/runatlantis/atlantis/issues/4060",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/runatlantis/atlantis/issues/4060"
        },
        {
          "name": "https://github.com/runatlantis/atlantis/pull/4667",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/runatlantis/atlantis/pull/4667"
        },
        {
          "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security"
        },
        {
          "name": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
        }
      ],
      "source": {
        "advisory": "GHSA-gppm-hq3p-h4rp",
        "discovery": "UNKNOWN"
      },
      "title": "Git credentials are exposed in atlantis logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52009",
    "datePublished": "2024-11-08T22:24:15.300Z",
    "dateReserved": "2024-11-04T17:46:16.779Z",
    "dateUpdated": "2024-11-12T19:19:58.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-52009\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-08T23:15:05.030\",\"lastModified\":\"2024-11-12T13:56:54.483\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Atlantis es una aplicaci\u00f3n Golang autoalojada que escucha los eventos de solicitud de extracci\u00f3n de Terraform a trav\u00e9s de webhooks. Los registros de Atlantis contienen credenciales de GitHub (tokens `ghs_...`) cuando se rotan. Esto permite que un atacante pueda leer estos registros para hacerse pasar por la aplicaci\u00f3n Atlantis y realizar acciones en GitHub. Cuando se utiliza Atlantis para administrar una organizaci\u00f3n de GitHub, esto permite obtener privilegios de administraci\u00f3n en la organizaci\u00f3n. Esto se inform\u00f3 en #4060 y se corrigi\u00f3 en #4667. La correcci\u00f3n se incluy\u00f3 en Atlantis v0.30.0. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"HIGH\",\"vulnerableSystemIntegrity\":\"NONE\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"HIGH\",\"subsequentSystemIntegrity\":\"HIGH\",\"subsequentSystemAvailability\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"references\":[{\"url\":\"https://argo-cd.readthedocs.io/en/stable/operator-manual/security\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/runatlantis/atlantis/issues/4060\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/runatlantis/atlantis/pull/4667\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/runatlantis/atlantis/releases/tag/v0.30.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

ghsa-gppm-hq3p-h4rp

Vulnerability from github

Published

2024-11-08 19:03

Modified

2024-11-20 19:32

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Summary

Git credentials are exposed in Atlantis logs

Details

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.

When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.

This was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in Atlantis v0.30.0.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

While auditing the Kubernetes/Argo CD/Atlantis deployment of some company, the following set-up was encountered:

Most employees have read-only access to Argo CD, enabling them to see the health of deployed applications.
Atlantis was deployed as an Argo CD application.
Atlantis was used to manage the configuration of a GitHub organization (such as team members), using Terraform's GitHub integration.

Atlantis logs on Argo CD contained lines such as:

json {"level":"debug","ts":"2024-11-07T17:58:30.636Z","caller":"vcs/gh_app_creds_rotator.go:58","msg":"Refreshing git tokens for Github App","json":{}} {"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/gh_app_creds_rotator.go:64","msg":"token ghs_[REDACTED]","json":{}} {"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/git_cred_writer.go:36","msg":"git credentials file has expected contents, not modifying","json":{}}

This enabled employees with read-only access to Argo CD to get administration privileges on the GitHub organization, compromising all repositories. As some repositories were used for Infrastructure-as-Code deployment (with Atlantis), this enabled the security auditors to get cluster admin privileges on most Kubernetes clusters.

While the set-up "most employees have read-only access to Argo CD" can be seen as dangerous, this should not incur such security risk (cf. https://argo-cd.readthedocs.io/en/stable/operator-manual/security/). The main issue here was that the logs contained privileged GitHub tokens as they were obtained by Atlantis.

This issue was already reported (https://github.com/runatlantis/atlantis/issues/4060) and fixed (https://github.com/runatlantis/atlantis/pull/4667) but no security advisory was published on https://github.com/runatlantis/atlantis/security and no CVE was assigned (https://app.opencve.io/cve/?&vendor=runatlantis&product=atlantis only lists CVE-2022-24912, which is unrelated).

Could you please publish a security advisory?

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

cf. https://github.com/runatlantis/atlantis/issues/4060 for more details.

Impact

What kind of vulnerability is it? Who is impacted?

This leaks sensitive GitHub tokens in the log files (CWE-532: Insertion of Sensitive Information into Log File).
This could enable anyone with log read access to compromiseGitHub organizations managed by Atlantis.
This impact at least users using Atlantis with Github application and integration.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/runatlantis/atlantis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-08T19:03:35Z",
    "nvd_published_at": "2024-11-08T23:15:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\nAtlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.\n\nWhen Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.\n\nThis was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in [Atlantis v0.30.0](https://github.com/runatlantis/atlantis/releases/tag/v0.30.0).\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nWhile auditing the Kubernetes/Argo CD/Atlantis deployment of some company, the following set-up was encountered:\n\n- Most employees have read-only access to Argo CD, enabling them to see the health of deployed applications.\n- Atlantis was deployed as an Argo CD application.\n- Atlantis was used to manage the configuration of a GitHub organization (such as team members), using [Terraform\u0027s GitHub integration](https://registry.terraform.io/providers/integrations/github/latest).\n\nAtlantis logs on Argo CD contained lines such as:\n\n```json\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.636Z\",\"caller\":\"vcs/gh_app_creds_rotator.go:58\",\"msg\":\"Refreshing git tokens for Github App\",\"json\":{}}\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.637Z\",\"caller\":\"vcs/gh_app_creds_rotator.go:64\",\"msg\":\"token ghs_[REDACTED]\",\"json\":{}}\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.637Z\",\"caller\":\"vcs/git_cred_writer.go:36\",\"msg\":\"git credentials file has expected contents, not modifying\",\"json\":{}}\n```\n\nThis enabled employees with read-only access to Argo CD to get administration privileges on the GitHub organization, compromising all repositories. As some repositories were used for Infrastructure-as-Code deployment (with Atlantis), this enabled the security auditors to get cluster admin privileges on most Kubernetes clusters.\n\nWhile the set-up \"most employees have read-only access to Argo CD\" can be seen as dangerous, this should not incur such security risk (cf. https://argo-cd.readthedocs.io/en/stable/operator-manual/security/). The main issue here was that the logs contained privileged GitHub tokens as they were obtained by Atlantis.\n\nThis issue was already reported  (https://github.com/runatlantis/atlantis/issues/4060) and fixed (https://github.com/runatlantis/atlantis/pull/4667) but no security advisory was published on https://github.com/runatlantis/atlantis/security and no CVE was assigned (https://app.opencve.io/cve/?\u0026vendor=runatlantis\u0026product=atlantis only lists [CVE-2022-24912](https://nvd.nist.gov/vuln/detail/CVE-2022-24912), which is unrelated).\n\nCould you please publish a security advisory?\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\ncf. https://github.com/runatlantis/atlantis/issues/4060 for more details.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n- This leaks sensitive GitHub tokens in the log files (CWE-532: Insertion of Sensitive Information into Log File).\n- This could enable anyone with log read access to compromiseGitHub organizations managed by Atlantis.\n- This impact at least users using Atlantis with Github application and integration.",
  "id": "GHSA-gppm-hq3p-h4rp",
  "modified": "2024-11-20T19:32:50Z",
  "published": "2024-11-08T19:03:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/issues/4060"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/pull/4667"
    },
    {
      "type": "WEB",
      "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/runatlantis/atlantis"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Git credentials are exposed in Atlantis logs"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-52009

Vulnerability from cvelistv5

ghsa-gppm-hq3p-h4rp

Vulnerability from github

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature